It may not be the strongest security measure, but many administrators are not quite sure about HTTP headers like Server or X-Powered-By. There seems to be just one reason why this header has to be in a HTTP response: It makes life easier for a hacker. So why not just remove it? Or even fake a false server? In fakt there is no technical need for this headers. We have a NetScaler, the ultimate magic HTTP box, so let’s do it!

I use this as an example. One of my students sent a message asking me how to invoke policy labels.

Replacing server headers may not be the big security profit expected: every (real) hacker will be able to recognise your server, just by using it. But it is a good example for NetScaler policy labels.

will insert the fake header. (I did not take screen shots of all of them as this is very similar to X-Powered-By). Of course we may fake some more headers if we like. I just reduce to this 3 headers to keep things simple.

We than have to bind this policies globally to all our HTTP load balancers on our NetScaler. I’m a lazy guy, so I prefer to avoid unnecessary work when ever possible. Policy labels may make work easier and faster, so I started to love them!

There is just one draw back about policy labels: you have to invoke them using a policy. There is no chance to invoke them in any other way. so I create a dummy policy: